Role-based access control is not a generic term!
Role-Based Access Control was introduced as a formal model by David Ferraiolo and Richard Kuhn almost 25 years ago.A role based access control (RBAC) policy bases access control decisions on the functions a user is allowed to perform within an organization. The users can not pass access permissions on to other users at their discretion.Ten years later the same authors proposed RBAC as a formal standard in this paper with functional specs in Z-notation.
In 2004 the RBAC formal model was adopted by ANSI as a specification - INCITS 359.
RBAC model four components:
- Core RBAC
- Hierarchical RBAC
- Static Separation of Duty Relations
- Dynamic Separation of Duty Relations
The RBAC model as a whole is fundamentally defined in terms of individual users being assigned to roles and permissions being assigned to roles. As such, a role is a means for naming many-to-many relationships among individual users and permissions. In addition, the core RBAC model includes a set of sessions (SESSIONS) where each session is a mapping between a user and an activated subset of roles that are assigned to the user.
So, ANSI RBAC Object Model has six basic elements:
- User – human or machine entity
- Role – a job function within an organization
- Object – maps to system resources
- Operation – executable image of program
- Permission – approval to perform an Operation on one or more Objects
- Session – contains set of activated roles for User
